Cisco DS-C9216I-K9 Switch Guide - Page 223
Configuring Passwords for Other Devices, Configuring the DHCHAP Timeout Value, Default Fabric
View all Cisco DS-C9216I-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 223 highlights
Chapter 19 Configuring Fabric Security Configuring Passwords for Other Devices • Approach 2-Use a different password for each switch and maintain that password list in each switch in the fabric--when you add a new switch, you create a new password list and update all switches with the new list. Accessing one switch yields the password list for all switches in that fabric. • Approach 3-Use different passwords for different switches in the fabric--when you add a new switch, multiple new passwords corresponding to each switch in the fabric must be generated and configured in each switch. Even if one switch is compromised, the password of other switches are still protected. This approach requires considerable password maintenance by the user. We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to use local password database, you can continue to do so using Approach 3 and using the Cisco MDS 9000 Family Fabric Manager to manage the password database. Refer to the Cisco MDS 9000 Family Fabric Manager User Guide for further information. All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted. Configuring Passwords for Other Devices You can configure passwords in the local authentication database for other devices in a fabric. The other devices are identified by their device name, which is also know as the switch WWN or device WWN. The password is restricted to 64 characters and can be specified in clear text (0) or in encrypted text (7). The switch WWN identifies the physical switch. This WWN is used to authenticate the switch and is different from the VSAN node WWN. Configuring the DHCHAP Timeout Value During the DHCHAP protocol exchange if the MDS switch does not receive the expected DHCHAP message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no authentication is performed) to 1000 seconds. The default is 30 seconds. When changing the timeout value consider the following factors: • The existing RADIUS and TACACS+ timeout values. • The same value must also be configured all switches in the fabric. Default Fabric Security Settings Table 19-2 lists the default settings for all fabric security features in any switch. Table 19-2 Default Fabric Security Settings Parameters DHCHAP feature DHCHAP hash algorithm DHCHAP authentication mode Default Disabled. A priority list of MD-5 followed by SHA-1 for DHCHAP authentication auto-passive. OL-7753-01 Cisco MDS 9000 Fabric Manager Switch Configuration Guide 19-5